FBI investigating widespread Web site break-ins by crime groups

The FBI today disclosed it has launched 40 separate investigations into alleged hacking incidents by Eastern European organized crime groups that are believed to have stolen more than 1 million credit card numbers from e-commerce and online finance Web sites powered by Windows NT servers.

A spokeswoman for the FBI's National Infrastructure Protection Center (NIPC) said the break-ins have occurred in 20 U.S. states and are thought to be part of a systematic effort by crime syndicates in Russia and Ukraine to break into vulnerable Web servers. Estimated financial losses since the NIPC issued an initial warning about the threat in December total as much as hundreds of thousands of dollars, she said.

But the figure could be much higher, the spokeswoman added, saying that the NIPC hasn't been able to determine an exact damages amount. The agency, which is based at FBI headquarters in Washington, today released an advisory saying the hacking activities are continuing. The advisory reiterated a recommendation that systems administrators should check their Windows NT-based servers to make sure patches designed to fix several known security holes have been installed.

To date, the NIPC spokeswoman said, e-commerce sites across the country have failed to heed the warnings about the holes in Microsoft Corp.'s operating system software. She described the new advisory as "a public service announcement" meant to urge companies to bolster the security of their Web sites by downloading the patches made available by Microsoft.

"These [organized crime] groups have hit on these sites using known vulnerabilities for months now, and people are not heeding the warnings," the spokeswoman said. Microsoft discovered and patched many of the vulnerabilities in NT as early as 1998. But until companies take the appropriate steps, she added, the attacks are "not going to stop."

Scott Christie, an assistant U.S. attorney and intellectual property coordinator at the U.S. Attorney's Office for the District of New Jersey, said federal investigators have identified several different groups of hackers that they believe are responsible for the incidents.

"We have a very good sense of who is involved," Christie said. "It's national in scope and at a point that we all felt it was appropriate to let a wider audience know what is going on." Christie characterized the threat posed by the hackers as a "serious impediment to public confidence in e-commerce."

A Microsoft spokesman said there's no way of knowing how widely the NT patches have been applied. Download rates are a poor indicator because a single download can be applied "an infinite number of times," he noted. Conversely, the fact that a user has downloaded a patch doesn't guarantee it will actually be applied. "Still, it is clear that not enough users are installing patches," the spokesman said.

The crime syndicates are targeting customer data, specifically credit card information, according to the FBI. In many cases, today's advisory said, the attacks go on for several months before the company being hit discovers thee intrusion.

After the attackers steal the data from a Web site, they often contact the victimized company by fax, e-mail or telephone and make a veiled extortion threat by offering Internet-based security services that would protect the targeted server from other attackers.

Federal investigators said they also believe that in some instances, the credit card information is being sold to other organized crime groups. The NIPC's advisories about the attacks list the vulnerabilities that are being exploited and provide links to bulletins issued by Microsoft about the relevant patches.

Chris Rouland, director of the X-Force vulnerability research unit at Internet Security Systems Inc. in Atlanta, said a lot of malicious hacking activity, including widescale probing of Web servers, is originating in Eastern Europe. "Anything that gets plugged in [to the Internet] gets probed," Rouland said. "It's not a question of if, but when."

The SANS Institute, a Bethesda, Md.-based research organization for systems administrators and security managers, today released an alert about the FBI's ongoing investigations that called the hacking incidents "the largest criminal Internet attack to date."

The alert added that the SANS-affiliated Center for Internet Security plans "within a day or two" to release a software tool that can be used to check NT servers for the vulnerabilities and to look for files found by the FBI on many compromised systems. The center's tools are usually limited to its members, but SANS said this one will be made available on a widespread basis "because of the importance of this problem."

The NIPC wouldn't identify any of the Web sites that have been hit by attacks. But in December, Creditcards.com, a Los Angeles-based company that has since changed its name to iPayment Technologies Inc., confirmed that about 55,000 credit-card numbers had been stolen from its Web site (see story). More than 25,000 of the numbers were exposed on the Internet after the company ignored a $100,000 extortion attempt believed to have come from a Russian hacker.

Earlier this week, Bibliofind.com, an online marketplace for rare and hard-to-find books that's owned by Amazon.com Inc., disclosed that a malicious hacker had compromised the security of credit card data for about 98,000 users of its Web site. The intrusions began in October and weren't discovered until last month, according to Waltham, Mass.-based Bibliofind (see story).

Egghead.com Inc. in Menlo Park, Calif., was also hit by an intrusion late last year. The online technology retailer's CEO said in January that an internal investigation showed that no customer data had been compromised. But some Egghead users claimed that their credit card numbers had in fact been stolen, with one saying her card was debited for a charge to a fraudulent Web site in Russia (see story).

This story, "FBI investigating widespread Web site break-ins by crime groups" was originally published by Computerworld.

Insider: How the basic tech behind the Internet works
Join the discussion
Be the first to comment on this article. Our Commenting Policies